I have seen the enemy, and it is me.

April 30th, 2010

I recently attended a training class for certification as a payment card assessor. I came away from that training session with quite a bit more than just the 3-letter acronym for the certification, and I wanted to share some insights and opinions (of course).

First, let me say that the course was atrocious. Horrible. Here’s why: the instructor. Not the material, per se (although there is a lot of room for improvement), but the instructor and his teaching style. He had no style. He was dry, he was stumped on questions at least 10 times per day, and he offered no real-world examples or concrete guidance that attendees could truly benefit from.

The guidance overall was very literal in some areas, but usually vague. So assessors leaving this class are not getting a lot of “lessons learned” or “here is the best way to do this or look at this” kind of advice.

The range of backgrounds and skill sets in the class were as varied as I’ve ever seen. This could be viewed as a positive OR a negative, depending on your perspective, but the frightening thing was the very obvious lack of knowledge some folks had, and some of the questions asked were flat out stupid. Yes, I said it, and I mean to be a bit derogatory. If you are asking some of the questions I heard in this class, you need to be studying up for Security+ at best.

The test was easy. Really easy.

What’s the take away? Well, I have some thoughts, maybe a little advice. Here goes.

First, we really need to start interviewing payment card assessors.

Ask for resumes. Do an actual interview. Ask about real experience with the same technologies in use within the organization. If you don’t like someone, or don’t feel they are a good fit, ASK FOR SOMEONE ELSE or TALK TO A DIFFERENT CONSULTING FIRM! Why is this hard?!

Second, do not let a non-technical manager do the interview or make the call alone. In fact, as some of you know, I am not a fan of “GRC fanboys” running security teams in general, as they tend to be full of shit. “governance blah blah blah” and “controls blah blah blah” do not a true security architecture make. I have about had it with folks who hide behind “frameworks” and paperwork. If the audit team or compliance team makes the decision (and they tend to be a little less technical overall), ensure technical folks are involved to help call BS on would-be assessors who roll buzzword-style.

Third, ask for samples.

Although no one is going to share a formal compliance report with you, some examples of audit reports and writing should be available for assessors and consulting firms. IF they won’t provide this, just move on. Don’t waste your time.

The term “enemy” is probably a little strong. However, there is really almost no standardization here. You’re on your own to validate someone’s credentials, and it is obvious to me that consulting firms are hiring some very “green” or less experienced people to do this work. Don’t fall victim to these people, as they can have a huge impact on your business and compliance programs.

A final note: One class attendee, who can only be described as a douchebag, actually described himself as a “Master Security Architect”. If you have any desire to get respect from your peers, or maintain the semblance of a social life, do not ever refer to yourself as a “Master Security Architect”. Gawd.

Here is my theory on this: The majority of people ARE ignorant douchebags but they are the majority. This phenomenon is not limited to the InfoSec field, indeed you see it anywhere there’s tech. Somewhere in their dim collective brain the douchebag mob realize that if a really smart, knowldegeable person were in charge they would all be fired, or at best demoted to rubber stamping TPS reports for $9 an hour. So they make up a lot of buzzwords and call themselves master security architect and such and have worthless training and certification and trivial tests and then they get letters by their names. The truly knowledgeable person is distracted and lost in all that BS because they also feel compelled to do whatever actual (omg dare I say it) WORK gets done. So they have less time to engage in worthless posturing and activities designed to bump up their status (since no one in power understands the actual work anyway.) So when time comes to reward folks the manager (usually as big a douchebag as any of them) looks at the summaries. Well, Mr. Douchebag here just went to a seminar and got his MSA and he smiles and sucks up to me, but Mr. Shackleford couldn’t be bothered, and he seems grumpy about all the doucheyness around here so guess who moves up the power chain.

That’s so funny! Don’t forget though that the federal govt now thinks every employee needs to have either Security+ OR the CISSP. Because those are the same right? Those assessors usually just run nessus against your webserver, awesome.

I asked all three of them the same question and got three different takes on what would be allowed as a compenating control. Surely if we have this level of disparity between people who are assessing the compliance, then to say one is compliant is merely a perception of the individual QSA who carries out the assessment…